CVE-2022-38378: 
FortiOS vulnerability analysis and mitigation

An improper privilege management vulnerability was identified in Fortinet FortiOS version 7.2.0 and before 7.0.7, as well as FortiProxy version 7.2.0 through 7.2.1 and before 7.0.7. The vulnerability, assigned CVE-2022-38378, was discovered on August 16, 2022, and publicly disclosed on February 16, 2023. This security flaw allows an attacker with access to the admin profile section (System subsection Administrator Users) to escalate their privileges from Custom to Read-Write level through either CLI or GUI commands (MITRE CVE, FortiGuard).

The vulnerability is classified as an improper privilege management issue (CWE-269). According to the National Vulnerability Database, it received a CVSS v3.1 base score of 4.0, indicating medium severity. The attack vector is local (AV:L), requires low attack complexity (AC:L), high privileges (PR:H), and no user interaction (UI:N). The scope is unchanged (S:U), with high impacts on confidentiality (C:H) and integrity (I:H), but no impact on availability (A:N) (NVD).

The successful exploitation of this vulnerability allows an attacker to upgrade their privileges to Read-Write access, potentially gaining increased control over the affected systems. This elevation of privileges could lead to unauthorized access to sensitive system configurations and potential system compromise (MITRE CVE).

Affected organizations should upgrade their FortiOS to version 7.0.8 or later, or version 7.2.2 or later for FortiProxy installations. These versions contain the necessary security patches to address the vulnerability (NVD).